It was discovered that fetchmail, a full-featured remote mail retrievaland forwarding utility, is vulnerable to the "Null Prefix Attacks AgainstSSL/TLS Certificates" recently published at the Blackhat conference.This allows an attacker to perform undetected man-in-the-middle attacksvia a crafted ITU-T X.509 certificate with an injected null byte in thesubjectAltName or Common Name fields.

Note, as a fetchmail user you should always use strict certificatevalidation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)or sslcertck sslproto tls1 (for STARTTLS-based services)

For the oldstable distribution (etch), this problem has been fixed inversion 6.3.6-1etch2.

For the stable distribution (lenny), this problem has been fixed inversion 6.3.9~rc2-4+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed inversion 6.3.9~rc2-6.

We recommend that you upgrade your fetchmail packages.

Upgrade instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: